Small Branch—Dial Backup to Cisco VPN 3000 Concentrator

This design was proposed to meet the requirements for a national catalog retail business that has approximately 60 retail stores in addition to the direct mail and Internet web business model. The retailer has an existing Cisco VPN 3000 Concentrator that supports remote access software clients, and wants to use that device as an IPSec head end to serve as a crypto peer for dial backup if the primary path over the Internet fails. The application supported is primarily point-of-sale transactions.

Topology

The topology in Figure 5-1 shows the use of a Cisco 1712 router that includes a Basic Rate ISDN interface; however, the design can be adapted to use a Cisco 1711 and to dial either the access server of an Internet Service Provider or an access server provisioned by the enterprise.

Figure 5-1 Topology Dial Backup to Cisco VPN 3000

The design shows the use of one Cisco IOS head-end IPSec peer that is also the SAA target device for the Reliable Static Routing Backup Using Object Tracking feature in Cisco IOS Software.

The enterprise intranet backbone router is configured to route packets to the remote subnets using the IPSec primary router if the Reverse Route Injection (RRI) network advertisements appear in its routing table; otherwise, the packets are routed to the Cisco VPN 3000 Concentrator.

The VPN 3000 Concentrator is configured with a default route to the ISDN WAN router; however, for higher availability, a customer deployment might use a Hot Standby Router Protocol (HSRP) address shared between a pair of WAN routers, or enable OSPF or RIP on the outside interface and participate in a dynamic routing protocol with the various WAN routers.

Failover/Recovery Time

There is a difference in configuration between the ISDN backup in the previous section and this configuration. As previously described, the Basic Rate ISDN interface is a backup interface for a tunnel interface, and the interface up/down state is keyed off the tunnel interface state. In this configuration, a dialer idle-timeoutis configured as well as dialer-list that excludes IKE packets as interesting traffic.

EZVPN—Tunnel Goes to SS_OPEN State on Re-establishing Connection

It appears in some instances that the Cisco 1712 is exposed to the following condition: CSCin53097 EZVPN—tunnel goes to SS_OPEN state on re-establishing connection. The following is a successful and unsuccessful initiation of the EZVPN tunnel to the VPN Concentrator. To force the primary path down, an ISP link failure was simulated.

RRI Fails to Insert the Appropriate Static Route

In the test topology, without a default route in the routing table of the vpnjk2-2691-1 route (the primary IPSec head-end route), RRI fails to insert the appropriate static route into the routing table. This was using Cisco IOS version 12.3(5). This defect is documented in CSCed69116.

V3PN QoS Service Policy

The V3PN QoS service policy in this configuration is similar to the other chapters in this guide.

Performance Results

Performance results for the Cisco IOS and VPN concentrator head-ends are shown in Table 5-1.

Table 5-1 IPSEC/DPD/RRI Performance

Spokes

Bi-
Directional
Traffic
(Mbps)

Bi-
Directional
Traffic
(Kpps)

CPU Utilization %

Stopping Point

Cisco 3745 (AIM-II)

120

22.5

14.5

80

CPU

Cisco PIX 535 (VAC+)

500

167

84

89

CPU

Cisco 3080 (SEP/SEP-E)

138

38.8/39.4

19.6/19.6

80/52

CPU

Cisco 7200 NPE-400 (VAM1)

1040

71.7

31.7

88

CPU

Cisco 7200 NPE-G1 (2xVAM1)

1040

106.7

48.1

81

CPU

Cisco 7200 NPE-G1 (2xVAM2)

1040

108.7

48.7

77

CPU

Cisco Catalyst 6500 (VPNSM)

1040

1029.3

488.7

N/A

VPNSM

These test results are from an IPSec/DPD/RRI test bed configuration using a voice and data traffic mix

In a deployment where the VPN 3080 is acting as a backup head end to provide connectivity for point-of-sale terminals or cash machines over an Async interface with no voice traffic, these are very conservative performance numbers.

If the 3080 also supports VPN access by remote users with a VPN software client in addition to functioning as a backup IPSec head end for remote locations, the performance characteristics vary.

Note The Cisco PIX OS earlier than Version 7 does not switch a packet in and out the same interface in the tested release of the code.

Implementation and Configuration

This section describes the implementation and configuration of the Dial Backup to Cisco VPN 3000 Concentrator solution. It includes the following topics:

Enterprise Intranet Backbone Router(s)

The enterprise intranet backbone router is designated as vpnjk-2600-5 in Figure 5-1. A large enterprise customer may have one or more routers that connect their extranet to the intranet. The function of this router is to route packets for the remote subnets to the appropriate IPSec head-end device, either the Cisco IOS head-end or the VPN concentrator. If an active IPSec tunnel is available on the Cisco IOS head end, this is the primary or preferred path. If no IPSec tunnel is available for the remote subnet, route the packets to the VPN concentrator.

This router is an EIGRP neighbor with the Cisco IOS IPSec head-end router, and it learns external routes of the specific remote subnets using EIGRP. In this example, the network prefix is /25. There is a static route to a /18 prefix that represents the address space of all the remote subnets. If the more specific /25 route does not exist, the /18 route is followed, connecting to the VPN 3000 Concentrator.

Note: There is a /25 route for each remote subnet active over the primary path. The /18
prefix will always be in the routing table.

vpnjk-2600-5#show ip route

...

S 10.0.64.0/18 [1/0] via 10.2.128.30

D EX 10.0.68.0/25

[170/10258432] via 10.2.120.4, 00:09:36, FastEthernet0/1.120

IPSec Primary and SAA Target Router

In other chapters of this guide, the head-end SAA target router and the IPSec head-end routers are separate routers. In this example, both functions are implemented on one router. When there is only one IPSec head-end router, it is practical to use its IP address as the SAA target. If the IPSec tunnel is down, the SAA address is down. When the design has multiple primary peers, it may be advantageous to use a separate SAA target router. A disadvantage to this design is that if the SAA target router is down and the IPSec peers are functional, the backup mechanism is activated when it is not really needed.

Primary WAN Router

This section shows the configuration of the primary enterprise WAN router. There is a issue in the RRI code that presents a problem if there is no default route in the routing table of the IPSec head-end router. To circumvent this issue, this WAN router is configured to advertise a 0/0 route into EIGRP 100 so that the IPSec head-end router learns a default route. In the event this router is down or out-of-service, the secondary WAN router should be similarly configured.

Cisco VPN 3000 Concentrator Configuration

The Cisco VPN 3000 Concentrator is configured with a default route (gateway) of 192.168.131.3, which is the head-end ISDN WAN router. The inside or private address is on the same subnet as the enterprise intranet router. The external address is a lab flashnet address for management.

Cisco IOS Versions Tested

The IPSec head-end router was a Cisco 2691 with an AIM hardware VPN module. The Cisco VPN 3000 Concentrator was a Cisco 3080 running Version 4.0.4.A.

This testing was not intended to scale test head-end performance capabilities. In a customer deployment, using IPSec head-ends with suitable performance characteristics aligned with the number of remote routers is advised.

Summary

This design applies to a small-to-medium-sized business with an existing remote access solution using a Cisco VPN 3000 Concentrator that wants to leverage this device to provide backup coverage. This chapter described the head-end routing configuration to demonstrate how you can use a combination of dynamic and static routing to route packets to the appropriate head-end device. The example in this section described the use of Basic Rate ISDN for the dial-backup links, but Async dial-up to an ISP can also be used.